Menu
Kim Kardashian Leaked Photos Backlash

Kim Kardashian Leaked Photos Backlash

Benedict Cumberbatch is Alan Turing in The Imitation Game

Benedict Cumberbatch is Alan Turing in The Imitation Game

Amber Heard Topless Photo Leaked

Amber Heard Topless Photo Leaked

The Sexiest Halloween Costumes of 2014

The Sexiest Halloween Costumes of 2014

Oculus Unveils Crescent Bay, its New Virtual Reality Headset Prototype

Oculus Unveils Crescent Bay, its New Virtual Reality Headset Prototype

The World Needs Google Project Zero to be Real

Jul 16 2014, 6:10am CDT | by , in News | Technology News

The World Needs Google Project Zero to be Real
 
 

YouTube Videos Comments

Full Story

The World Needs Google Project Zero to be Real

If someone does something altruistic in security most stand up and applaud. But these days, such actions also tend to attract polemicists to the party. Especially of the cantankerous variety. Perhaps it’s no surprise then that Google’s Project Zero, which will gather some of the world’s finest minds in security to uncover dangerous bugs on the web, has attracted some scorn.

The withering comments are coming from a contentious part of the security industry: the zero-day exploit market. Companies in this sphere sell unpatched vulnerabilities to governments, law enforcements and private entities, presumably to help them protect their own, though it’s believed the exploit code is also used to attack as well as defend. They claim they are doing the world a favour by finding the bugs and being responsible in selling them to trusted parties. Criminals are doing the same, so isn’t it better to have more “good guys” hoovering up bugs before crooks do?

Possibly. But there are many who loathe zero-day merchants. As they often won’t tell the vendor about the bugs they find, most people using the affected software remain in danger. And it’s only the merchants and their customers who benefit.

It’s possible Google’s Project Zero could disrupt that market, finding those vulnerabilities before anyone else does. Given the number of bugs that emerge from the cracks every year, though, this seems unlikely at best. That’s why people like Chaouki Bekrar, who heads up exploit seller VUPEN, have claimed Project Zero is “yet another marketing campaign from Google corporation, nothing new under the sun from a cyber security perspective”.

“What Google did not understand is that killing a few zero-days will make Google’s researchers and/or shareholders feel better but it will definitely not kill the market of zero-day exploits,” Bekrar said over email. “Instead it will make it even more lucrative as both the white and black market’s prices for zero-days will increase each time the number of available exploits decreases.” There will be a lot of money going around then: legitimate zero-day merchants have previously said their exploit code has sold for upwards of $500,000 in the past.

Robert Graham from Errata Security, which offers “offensive” security services,  noted Google has already been looking for zero-days in every kind of software. “I don’t think anything’s changed other than now they have a really cool name to put on the project,” Graham added.

“The most important aspect of this is how it helps Google… having a close-knit team of researchers learning from each allows each member to produce vastly more than if they were working alone. Looking at other products produces intelligence that can be used to improve Google’s own products.”

If Bekrar and Graham are right, and Project Zero doesn’t negatively affect the zero-day vulnerabilities market and the value of these bugs goes up, criminal dealers are also likely to benefit. That’s perverse.

Not that crooks dealing in zero-days are selling cheap. Just this week, the Russian hacker w0rm who attacked CNET and made off with at least a million users’ encrypted passwords sent your reporter screenshots of what appeared to be his own exploit marketplace, w0rm.in. It included the bug w0rm used in the attack on the popular tech website, affecting the Symfony Framework, tools that help developers build PHP code for websites.

According to w0rm, there are currently around 100 zero-days available for purchase on w0rm.in. The one in Symfony is going for as much as $30,000, whilst screenshots show others affecting some of the world’s biggest websites going for between $500 and $15,000 (those images won’t be shown here in case they are genuine bugs that criminals could use to steal data from those sites, though there is one shot below of the market).

Speaking in Russian, w0rm said the w0rm.in team came from an old school hacking background and have a love for freedom of information. They bring together experts to develop solutions for serious security problems, they added, whilst admitting that breaching a site’s defences was illegal in most countries on the planet.

Outside of recommending CNET start collaborating with w0rm.in to improve security on the site, which would no doubt include a hefty fee, w0rm suggested CNET start up a bounty programme to help prevent future attacks. Neither of those two things are likely to happen and one gets the feeling w0rm is being a tad disingenuous. The hacker won’t be disclosing the vulnerability in Symfony either, even though it would be a boon for internet security. Instead, he will try to make money out of it.

If only Google and its Project Zero team, or anyone for that matter, could bring an end to this kind of illicit activity. It would bring much-needed security to the world’s internet users.

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

The Big Bang Theory Season 8 Premieres Today
The Big Bang Theory Season 8 Premieres Today
The Big Bang Theory Season 8 premieres with the first two episodes today at 8 p.m. on CBS. Watch the newest The Big Bang Theory Season 8 teasers below. And, yes. Kaley Cuoco has short hair.
 
 
Roger Moore Knows more about Star Wars VII Than You
Roger Moore Knows more about Star Wars VII Than You
Sir Roger Moore, the Bond actor with the most missions has visited the Star Wars VII set.
 
 
Rockefeller drop Fossil Investments in Favor of Clean Energy
Rockefeller drop Fossil Investments in Favor of Clean Energy
Money Talks. That fact makes this announcement of the Rockefellers a huge deal.
 
 
iPhone 6 and 6 Plus Use 20-Nanometer A8 Processor From TSMC
iPhone 6 and 6 Plus Use 20-Nanometer A8 Processor From TSMC
The 20-nanometer process technology can result in speeds that are much higher than its 28-nanometer chips
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.